Vulnerability
Cisco
Affected
Cisco 675
Description
Bill Watts found following. When a certain long distance provider
in his area began forcefully switching all non-business/special
adsl accounts over to using PPP rather than bridging mode for
'security reasons', DeMoNx got a little suspicious. With bridging
mode enabled on a Cisco 675, one used to be able to hook up
seemingly limitless machines (provided you have the hubs), to one
dsl connection using dhcp. Now with PPP, your dhcp server becomes
10.10.10.0...your 675, which in turn uses dhcp or ipcp to handle
traffic between itself and your isp....blah blah blah etc.
Point is, with all this wonderfully confusing hubub, many people
are pulling their hair out trying to fathom the first 5 pages of
the 'CBOS Users Guide', trying in vain to set up their dsl to
avoid paying $90 to the guys that will end up coming to their
house and setting it up for them. The problem is, *most* of
these guys don't set passwords on the 675's. It is very simple
to compromise an unpassworded 675. Simply hit 'enter' at the
password prompt after telnetting in, if you get a cbos> promt you
are half way there, NOT GOOD. If there is no exec mode password
set, then there most likely won't be an enable(superuser) mode
password either. So, at this prompt you simply type 'enable' and
hit enter twice. If you are in enable mode, your prompt will
change to the # symbol, and you have full access to all the
router's settings. ISP's are letting this happen, people are
buying this technology without any knowlege that they may be at
this kind of risk. Below is a log of one such Cisco 675. The
ip's and hostnames have been changed to protect the irresponsible
*and* the uninformed.
$telnet adslppp93.lame.isp.net Trying 296.161.127.93...
Connected to adslppp93.lame.isp.net.
Escape character is '^]'.
User Access Verification
Password: (Just hit enter, whoa! No password!)
cbos>enable (with just 8 keystrokes full access is given)
Password:
cbos#stats ppp (Hmm, who's 675 is this?)
VC VPI/VCI STATE MRU USERNAME RADIUS TX RX
wan0-0 01/01 Opened State 2048 poorsap disabled 358673 358956
cbos#exit
Connection closed by foreign host.
This is pretty well known, and not to mention that you can really
get free dialups through this method by doing 'show nvram' and
reading the username and password in the display, for example..
cbos# show nvram
<snip>
PPP Port User Name = 00, username
PPP Port User Password = 00, mycleartextpass
<snip>
Since this anonymous ISP provides 'roaming' access with their
DSLs, if you are in their 14 state region, you can use that l/p
combination to have a free dialup.. there are numerous other
things you can do from the router...
Francis Bodie added followwing (sort of related). He had to do a
password recovery on a 675, which is an undocumented procedure (or
at least not in the manual). To recover the password you do the
following steps:
1. Reboot the Cisco 675
2. Access the device through the serial Console (Speed: 34000, 8, N,1)
3. Issue the break command, <CTRL>-C
4. The Cisco 675 should be display a prompt =>
5. Issue the command: ES 6 (Erase Page? 6)
6. Issue the command: M0 (Turn of monitor mode)
7. Issue the command: go
8. The modem should reboot, with exec and ena passwords removed
NOTE: You will also loose your entire config. Apparently the
whole ROM monitor mode on the 675 is a bit strange, most likely
due to it being a former NetSpeed product.
Solution
Cisco has recognized this as a problem. This is fixed in 2.1.0a
or in 2.2.0 (2.2.0 out shortly). The 675 will react like classic
IOS and not allow telnet if a exec password is not set. Now, to
change these passwords (the easiest way of securing the router)
- type 'enable' hit enter to enter administration mode
- then type 'set password exec clear NEWPASSWORD exec' to keep
them out
- and then 'set password enable clear NEWPASSWORD enable' to
change the superuser password.
This is what the person who setup the 675 *SHOULD* have done prior
to leaving the jobsite.